From: Matthew Allen <matthew.allen@citrix.com>
To: xen-devel@lists.xen.org
Cc: committers@xenproject.org
Subject: Possible improvement to Xen Security Response Process
Date: Mon, 5 Dec 2016 14:17:27 +0000 [thread overview]
Message-ID: <1480947447.1813.36.camel@citrix.com> (raw)
According to https://xenbits.xen.org/xsa/ we are in the middle of
4 consecutive Tuesdays of security announcements: XSA-19[1-8]
on Nov. 22, XSA-201 Nov. 29, XSA-199 Dec. 6 and XSA-200 Dec. 13.
The present security policy does not encourage batching of XSAs and
I would like us to consider refining the policy to permit this.
The present approach of frequent security updates causes significant
disruption to users. Many organisations test updates before deploying
in production; because security updates are so important this displaces
other work at short notice and doing so repeatedly is a significant
impact to users of Xen. Updating the policy to encourage the batching
of updates would reduce the load of using Xen.
From a security purist point of view, any delay in publication could
increase the possibility of vulnerabilities being exploited in the
wild. However, given the significant frequency of publication of XSAs,
I’d suggest that users failing to keep up with the publication rate
is presently a much greater security risk.
If XSAs were to be batched, we should also consider if batch updates
should be encouraged to be on pre-defined dates. The present
unpredictability makes it unnecessarily more difficult for users of
Xen to plan their lives. For example, our present process causes
organisations with few administrators to choose between cancelling
holidays or not patching.
Obviously, some issues are discussed in public before the security
impact is realised (such as XSA-201); equally, the right to set
a disclosure date (if any) rests with the discoverer. However,
my experience of other software (which may not be typical) has been
that discoverers are usually happy to go along with any reasonable
proposed date given in the same way that discoverers of XSAs are
usually happy to conform to our present policy.
If this seems a good idea, then I’ll post a concrete proposal but
I’d like to get general feedback first.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next reply other threads:[~2016-12-05 14:17 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 14:17 Matthew Allen [this message]
2016-12-05 15:00 ` Possible improvement to Xen Security Response Process Jan Beulich
2016-12-05 19:24 ` Stefano Stabellini
2016-12-06 14:54 ` Matthew Allen
2016-12-07 16:23 ` Ian Jackson
2016-12-12 17:11 ` Matthew Allen
2016-12-13 1:54 ` Anthony Liguori
2016-12-13 8:41 ` Jan Beulich
2017-01-04 11:58 ` James Bulpin
2017-01-04 13:01 ` Jan Beulich
2017-01-04 13:12 ` James Bulpin
2017-01-20 19:21 ` Ian Jackson
2017-01-23 11:30 ` Jan Beulich
2017-02-17 11:18 ` Lars Kurth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1480947447.1813.36.camel@citrix.com \
--to=matthew.allen@citrix.com \
--cc=committers@xenproject.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).